Share via

SigninLogs don't get sent to Log Analytics workspace

bunhiry 0 Reputation points
2023-12-18T18:56:53.33+00:00

Hello,

I'm trying to have SigninLogs appear as a query in my log analytics workspace.

I've made sure that the diagnostic setting is set to SigninLogs and AuditLogs and being forwarded to my workspace (I only have 1 workspace).

I've waited over 24 hours, but still nothing shows up.

AuditLogs work fine as well as other commands since I have multiple sources of logs going into this workspace, but SigninLogs are the only one that don't.

When I do a query in KQL, there is no error. I can manually check that the Sign In Data exists and are stored, but it's not being sent.

What is the fix for this? Since it's the only table that doesn't work.

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,604 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,783 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,647 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AnuragSingh-MSFT 21,531 Reputation points Moderator
    2023-12-20T06:25:05.2966667+00:00

    bunhiry, thank you for reaching out to Microsoft Q&A for this question.

    Based on my understanding, you have configured diagnostic logs as mentioned in the following link to forward sign-in logs to Log Analytics workspace - Configure diagnostic settings.

    The following are some steps that can be taken to troubleshoot it further:

    1. Ensure that you are reviewing logs in the correct workspace and the time filter is also correct. There are services in Azure which allow for creation of LA workspace when being created. Therefore, even if you have not created the LA workspace explicitly, there might be a chance that another workspace got created as part of some other resource creation. To examine the correct LA workspace, please check the Diagnostic setting in Entra ID and note the resource group and LA woskapce being shown here:

    User's image

    1. When running the query in LA workspace, check the "Time range:" option set in case the logs were not generated in the scoped time period:

    User's image

    1. You could also log-off from the portal and sign-in again to ensure that atleast 1 new signin log is available. wait for about 5 minutes and see if you are able to get the entries in the table.

    In case you are still facing issues after performing the steps above, I would suggest reaching out to Azure Support to have it investigated 1:1 as backend logs from Entra Id instance will be required to understand the reason for logs not getting forwarded. In case you face any issues contacting Azure Support, please let me know.

    Hope this helps.

    If the answer did not help, please add more context/follow-up question for it, and we will help you out. Else, if the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.